立即与支持人员聊天
与支持团队交流

Active Roles 8.1.1 - Built-in Access Templates Reference Guide

AD LDS (ADAM)

The Configuration > Access Templates > AD LDS (ADAM) container of the Active Roles Console contains Access Templates (ATs) for delegating Active Directory Lightweight Directory Services (AD LDS) data management tasks within your organization. These include managing AD LDS containers, groups, Organizational Units (OUs) and users.

AD LDS (ADAM) – General ATs

To delegate data management tasks for the resources stored in your Active Directory Lightweight Directory Services (AD LDS) environment, use the Access Templates (ATs) in the root of the Configuration > Access Templates > AD LDS (ADAM) container of the Active Roles Console. Data management tasks include managing users, groups, printers, or computers.

Table 9: AD LDS (ADAM) data management Access Templates

Access Template

Description

AD LDS Containers - Full Control

Grants full permission to:

  • Create new AD LDS containers.

  • Perform all administrative operations on existing AD LDS containers.

AD LDS Containers - Modify All Properties

Grants the following permissions:

  • List all AD LDS containers.

  • View or modify the properties of any AD LDS container.

AD LDS Containers - Read All Properties

Grants the following permissions:

  • List all AD LDS containers.

  • View the properties of any AD LDS container.

AD LDS Groups - Add/Remove Members

Grants the following permissions:

  • List all AD LDS groups.

  • View or modify the members of AD LDS groups.

AD LDS Groups - Full Control

Grants full permission to:

  • Create new AD LDS groups.

  • Perform all management tasks on existing AD LDS groups.

AD LDS Groups - Modify All Properties

Grants the following permissions:

  • List AD LDS groups.

  • View or modify all properties of AD LDS groups.

AD LDS Groups - Read All Properties

Grants the following permissions:

  • List AD LDS groups.

  • View all properties of AD LDS groups.

AD LDS OUs - Full Control

Grants full permission to:

  • Create new AD LDS Organizational Units (OUs).

  • Perform all management tasks on existing AD LDS OUs.

AD LDS OUs - Modify All Properties

Grants the following permissions:

  • List AD LDS OUs.

  • View or modify all properties of AD LDS OUs.

AD LDS OUs - Read All Properties

Grants the following permissions:

  • List AD LDS OUs.

  • View all properties of AD LDS OUs.

AD LDS Users - Full Control

Grants full permission to:

  • Create new AD LDS user accounts.

  • Perform all management tasks on existing AD LDS user accounts.

AD LDS Users - Modify All Properties

Grants the following permissions:

  • List AD LDS user accounts.

  • View or modify all properties of AD LDS user accounts.

AD LDS Users - Read All Properties

Grants the following permissions:

  • List AD LDS user accounts.

  • View all properties of AD LDS user accounts.

All AD LDS Objects - Full Control

Grants full permission to perform any management task on any AD LDS object.

All AD LDS Objects - Read All Properties

Grants the following permissions:

  • List all AD LDS objects.

  • View all properties of any AD LDS object.

Azure

The Configuration > Access Templates > Azure container of the Active Roles Console contains Access Templates (ATs) for managing Azure AD resources. These Azure AD resources include:

  • Hybrid Azure configurations.

  • Hybrid and cloud-only Azure users and guest users.

  • Hybrid and cloud-only Azure contacts.

  • Hybrid and cloud-only Azure groups.

  • Microsoft 365 groups.

This container has a Special sub-container, containing an additional AT to facilitate searching for Azure resources in the Active Roles Web Interface. For more information, see Azure – General ATs.

Azure – General ATs

The Configuration > Access Templates > Azure container of the Active Roles Console contains Access Templates (ATs) to delegate Azure AD resource management tasks. Resource management tasks include searching, creating, reading, updating or deleting Azure tenants, users, guest users, groups and so on.

Table 10: Azure AD data management Access Templates

Access Template

Description

Azure - Configuration Administrator

Grants the following permissions:

  • Read and write Azure tenants.
  • Read and write Azure applications.
  • Read Azure health check reports.
  • Read Azure license reports.
  • Read Azure roles reports.

Azure - Contact Full Control

Grants the following permissions:

  • Add and enable new Azure contacts.
  • View existing Azure contacts.
  • Update the properties of existing Azure contacts.

Azure - Full Control

Grants full permission to:

  • Read and write Azure configuration objects.
  • Read and write Azure user attributes.
  • Read and write Azure group attributes.
  • Read and write Azure M365 group objects.

Azure - Group Full Control

Grants the following permissions:

  • Add and enable new Azure groups.
  • View existing Azure groups.
  • Update the properties of existing Azure groups.

Azure - Health Check, O365 Roles Report and License Report

Grants permission to access the Azure health check, M365 roles and license reports.

NOTE: This Access Template must be applied on a Configuration container.

Azure - Read All Attributes

Grants permission to read all Azure attributes.

NOTE: This AT provides no additional permissions.

Azure - Read All Contact Attributes

Grants permission to read all Azure contact attributes.

NOTE: This AT provides no additional permissions.

Azure - Read All Group Attributes

Grants the following permissions:

  • List all Azure groups.

  • View all Azure group properties.

Azure - Read All User Attributes

Grants permission to read all Azure user and guest user attributes.

NOTE: This AT provides no additional permissions.

Azure - User Full Control

Grants the following permissions:

  • Create new Azure user and guest user accounts.

  • Perform all administrative operations on existing Azure user and guest user accounts.

Azure Cloud Contact - Create Objects

Grants permission to create cloud-only Azure contact accounts.

NOTE: This AT provides no additional permissions.

Azure Cloud Contact - Delete Objects

Grants permission to delete cloud-only Azure contact accounts.

NOTE: This AT provides no additional permissions.

Azure Cloud Contact - Full Control

Grants the following permissions:

  • Create new cloud-only Azure contact accounts.

  • Perform all administrative operations on existing cloud-only Azure contact accounts.

Azure Cloud Contact - Modify Objects

Grants permission to modify cloud-only Azure contact accounts.

NOTE: This AT provides no additional permissions.

Azure Cloud Contact - Read All Attributes

Grants permission to read all cloud-only Azure contact attributes.

NOTE: This AT provides no additional permissions.

Azure Cloud User - Create Objects

Grants permission to create cloud-only Azure user accounts.

NOTE: This AT provides no additional permissions.

Azure Cloud User - Delete Objects

Grants permission to delete cloud-only Azure user accounts.

NOTE: This AT provides no additional permissions.

Azure Cloud User - Full Control

Grants the following permissions:

  • Create new cloud-only Azure user accounts.

  • Perform all administrative operations on existing cloud-only Azure user accounts.

Azure Cloud User - Modify Objects

Grants permission to modify cloud-only Azure user accounts.

NOTE: This AT provides no additional permissions.

Azure Cloud User - Read All Attributes

Grants permission to read all cloud-only Azure user attributes.

NOTE: This AT provides no additional permissions.

Azure Distribution Groups - Create Objects

Grants permission to create Azure distribution groups.

NOTE: This AT provides no additional permissions.

Azure Distribution Groups - Delete Objects

Grants permission to delete Azure distribution groups.

NOTE: This AT provides no additional permissions.

Azure Distribution Groups - Full Control

Grants the following permissions:

  • Add and enable new Azure distribution groups.
  • View existing Azure distribution groups.
  • Update the properties of existing Azure distribution groups.

Azure Distribution Groups - Modify Members

Grants permission to modify the members of Azure distribution groups.

NOTE: This AT provides no additional permissions.

Azure Distribution Groups - Modify Objects

Grants the following permissions:

  • List all Azure distribution groups.

  • Update all Azure distribution group properties.

Azure Distribution Groups - Read All Attributes

Grants the following permissions:

  • List all Azure distribution groups.

  • Read all Azure distribution group properties.

Azure Dynamic Distribution Groups - Create Objects

Grants permission to create Azure dynamic distribution groups.

Azure Dynamic Distribution Groups - Delete Objects

Grants permission to delete Azure dynamic distribution groups.

Azure Dynamic Distribution Groups - Full Control

Grants the following permissions:

  • Add and enable new Azure dynamic distribution groups.

  • View existing Azure dynamic distribution groups.

  • Update the properties of existing Azure dynamic distribution groups.

Azure Dynamic Distribution Groups - Modify Members

Grants permission to modify the members of Azure dynamic distribution groups.

Azure Dynamic Distribution Groups - Modify Objects

Grants permission to list all Azure dynamic distribution groups and modify their properties.

Azure Dynamic Distribution Groups - Full Control

Grants permission to list all Azure dynamic distribution groups and view their properties.

Azure Guest User - Create Objects

Grants permission to create Azure guest user accounts.

NOTE: This AT provides no additional permissions.

Azure Guest User - Delete Objects

Grants permission to delete Azure guest user accounts.

NOTE: This AT provides no additional permissions.

Azure Guest User - Full Control

Grants the following permissions:

  • Create new Azure guest user accounts.

  • Perform all administrative operations on existing Azure guest user accounts.

Azure Guest User - Modify Objects

Grants the following permissions:

  • List all Azure guest user accounts.

  • Update all Azure guest user properties.

Azure Guest User - Read All Attributes

Grants the following permissions:

  • List all Azure guest user accounts.

  • Read all Azure guest user properties.

Azure Health Check Report

Grants permission to access Azure health check reports.

NOTE: This Access Template must be applied on a Configuration container.

Azure License Report

Grants permission to access Azure license reports.

NOTE: This Access Template must be applied on a Configuration container.

Azure Microsoft365 Groups - Create Objects

Grants permission to create M365 groups.

NOTE: This AT provides no additional permissions.

Azure Microsoft365 Groups - Full Control

Grants the following permissions:

  • Add and enable new Azure M365 groups.
  • View existing Azure M365 groups.
  • Update the properties of existing Azure M365 groups.

Azure Microsoft365 Groups - Modify members

Grants permission to modify the membership list of M365 groups.

Azure Microsoft365 Groups - Read All Attributes

Grants the following permissions:

  • List all Azure M365 groups.

  • View all Azure M365 group properties.

Azure O365 Roles Report

Grants permission to access M365 roles reports.

NOTE: This Access Template must be applied on a Configuration container.

Azure Resource Mailboxes - Create Objects

Grants permission to create Azure resource mailboxes.

NOTE: This AT provides no additional permissions.

Azure Resource Mailboxes - Delete Objects

Grants permission to delete Azure resource mailboxes.

NOTE: This AT provides no additional permissions.

Azure Resource Mailboxes - Full Control

Grants the following permissions:

  • Add and enable new Azure resource mailboxes.

  • View existing Azure resource mailboxes.

  • Update the properties of existing Azure resource mailboxes.

Azure Resource Mailboxes - Modify Objects

Grants the following permissions:

  • List all Azure resource mailboxes.

  • Update the properties of Azure resource mailboxes.

Azure Resource Mailboxes - Read All Attributes

Grants the following permissions:

  • List all Azure resource mailboxes.

  • Read the properties of Azure resource mailboxes.

Azure Security Group - Create Objects

Grants permission to create Azure security groups.

NOTE: This AT provides no additional permissions.

Azure Security Group - Delete Objects

Grants permission to delete Azure security groups.

NOTE: This AT provides no additional permissions.

Azure Security Group - Full Control

Grants the following permissions:

  • Add and enable new Azure security groups.

  • View existing Azure security groups.

  • Update the properties of existing Azure security groups.

Azure Security Group - Modify Members

Grants permission to modify the members of Azure security groups.

Azure Security Group - Modify Objects

Grants the following permissions:

  • List all Azure security groups.

  • Update all Azure security group properties.

Azure Security Group - Read All Attributes

Grants the following permissions:

  • List all Azure security groups.

  • Read all Azure security group properties.

Azure Shared Mailboxes- Create Objects

Grants permission to create Azure shared mailboxes.

NOTE: This AT provides no additional permissions.

Azure Shared Mailboxes - Delete Objects

Grants permission to delete Azure shared mailboxes.

NOTE: This AT provides no additional permissions.

Azure Shared Mailboxes - Full Control

Grants the following permissions:

  • Add and enable new Azure shared mailboxes.

  • View existing Azure shared mailboxes.

  • Update the properties of existing Azure shared mailboxes.

Azure Shared Mailboxes - Modify Members

Grants the following permissions:

  • List all Azure shared mailboxes.

  • Update all Azure shared mailbox properties.

Azure Shared Mailboxes - Read All Attributes

Grants the following permissions:

  • List all Azure shared mailboxes.

  • Read all Azure shared mailbox properties.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级